Change Management - AWS Systems Manager Operational Capabilities
Change ManagerAutomationMaintenance WindowsChange Calendar

Change Management

Change Management offers capabilities for tracking changes to AWS resources, defining maintenance windows for changes to systems, control specific actions during major events to avoid disruptions, and use automations to perform such change management tasks.

Change Manager

Change Management is an important part of Operational Excellence. Change Manager is a framework for request, approving, implementing, and reporting on operational changes to application configuration and infrastructure. The Change Manager feature allows for use of pre-approved change templates to assist in automating change progresses.

Approvals are a key attribute of the change management process, and Change Manager allows approvals to be sent simultaneously or among different levels in a hierarchical organization depending on your requirements. Change Manager integrates with Change Calendar so that after a request has been approved, the system determines if the request conflicts with other business activities. If a conflict is detected, the change can be blocked or escalated for additional approvals before the runbook workflow.

Change templates contain the following attributes:

  • One or more custom or AWS Managed Services (AMS) runbooks for a user to choose for creating a change request

  • IAM users (or AWS Single Sign-On (AWS SSO) users) in the account who must review the change requests for the template

  • Amazon Simple Notification Service (Amazon SNS) topic to notify assigned approvers that a change request is ready for review

  • CloudWatch alarm that is used to monitor runbook workflow and automate provided rollback scripts

  • Amazon SNS topic used to send status changes for change requests created by using the change template

Automation

Automating repeatable tasks is important for removing undifferentiated heavy lifting so your teams can focus on business development. This feature simplifies the automation of common maintenance and deployment tasks of EC2 instances and other AWS resources, enabling you to do the following tasks:

  • Automate common IT tasks like stopping or restarting multiple servers with approval

  • Automate workloads for AWS Multi-Account or AWS Multi-Region

  • Simplify complex tasks like creating golden AMIs and recovering unreachable EC2 instances

  • Enhance operations security using delegated administration to allow a particular user to run such automation documents through IAM permissions

  • Run automation as an EventBridge target to perform a task-based operation on the event, such as scheduling, infrastructure state changes, or completion of another task

  • Monitor automation progress and execution details by using the Systems Manager console

  • Centralize configuration for application and AWS services

A Systems Manager Automation document defines the actions that Systems Manager performs on your managed instances and other AWS resources when an automation execution runs. A document contains one or more steps that run in sequential order or dynamically branch based on the results of the previous step. Each step is built around a single action. Output from one step can be used as input in a later step. The process of running these actions and their steps is called the automation workflow. For more information about all the supported automated actions that can be used in your automation documents and workflows to either run custom Python scripts, PowerShell scripts, or multiple other use cases, see Systems Manager action reference.

  • AWS recommends that you take time to review the list of Systems Manager automation documents from AWS and AWS Support. These cover a number of common use cases and provide best practices in areas such as security, patching, remediation, resource and cost management, data backups, and more.

Maintenance Windows

Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances, such as patching an operating system, updating drivers, or installing software or patches. Maintenance Windows also let you schedule actions on numerous AWS resource types, including Amazon S3 buckets, Amazon Simple Queue Service (Amazon SQS) queues, AWS KMS keys, and many more.

Maintenance Windows consist of a schedule, a maximum duration, a set of registered targets (the instances or other AWS resources that are acted upon), and a set of registered tasks. Maintenance Windows can be specific dates that the maintenance should not run before or after, and you can specify the international time zone on which to base the maintenance window schedule.

Maintenance Windows support running the following tasks:

  • Lambda functions

  • AWS Step Functions tasks

  • Automation workflows

  • Run Command tasks

Screen shot showing Systems Manager Maintenance Windows

Systems Manager Maintenance Windows

Common use cases for Maintenance Windows:

  • Install or update applications

  • Apply patches

  • Install or update AWS Systems Manager Agent (SSM Agent)

  • Run PowerShell commands and Linux shell scripts using a Systems Manager Run Command task

  • Build AMIs, boot-strap software, and configure instances using a Systems Manager Automation task

  • Run Lambda functions that trigger additional actions, such as scanning your instances for patch updates

  • Run Step Functions state machines to perform tasks such as removing an instance from an Elastic Load Balancing environment, patching the instance, and then adding the instance back to the Elastic Load Balancing environment

  • Target instances that are offline by specifying an AWS resource group as the target

Note

Maintenance Windows support scheduling of maintenance tasks on an offset from a specific day in a specific week of the month.

For example, Microsoft’s patches are currently released on the second Tuesday of the month. To apply these patches, add the offset for the chosen day following Microsoft’s patch Tuesday.

Change Calendar

Change Calendar lets you set up date and time ranges when actions you specify, such as executing Systems Manager Automation documents, may or may not be performed in your AWS account. These ranges are called events.

Change Calendar entries help keep your environment stable during event times. For example, you can create a Change Calendar entry to block changes when you expect high demand on your resources, such as during a conference or a marketing promotion. A calendar entry can also block changes when you expect limited administrator support, for example, during vacations or holidays. In the following screenshot, you see an example of a Change Calendar event created for a month-end freeze to block any deployments during this period.

Screen showing Systems Manager Change Calendar

Systems Manager Change Calendar

Change Calendar can effectively control your environments and avoid disruptions of all the business operations. Change Calendar helps you with reviewing planned changes, ensures execution of such changes only during appropriate times, and gets the current or upcoming state of the calendar.

Note

Calendars can be shared across AWS accounts. This will provide a single source of truth of when events are allowed or disallowed.